# CCDC Command Reference ## 50+ Essential Commands for Competition --- ## WINDOWS COMMANDS ### User & Account Management ```powershell # List all users net user # List domain users net user /domain # Get detailed user info net user [username] net user [username] /domain # Change user password net user [username] [newpassword] # Disable user account net user [username] /active:no # Add user to group net localgroup Administrators [username] /add # Remove user from group net localgroup Administrators [username] /delete # List local groups net localgroup # List domain groups net group /domain # List group members net localgroup [groupname] net group [groupname] /domain ``` ### Service Management ```powershell # List all services Get-Service sc query # Check specific service Get-Service -Name [servicename] sc query [servicename] # Start service Start-Service [servicename] net start [servicename] # Stop service Stop-Service [servicename] net stop [servicename] # Restart service Restart-Service [servicename] # Set service to auto-start Set-Service -Name [servicename] -StartupType Automatic # Disable service Set-Service -Name [servicename] -StartupType Disabled ``` ### Network Analysis ```powershell # Show all connections netstat -ano # Show listening ports netstat -an | findstr LISTENING # Show connections with process names netstat -anb # Find process using specific port netstat -ano | findstr :[port] # Get IP configuration ipconfig /all # DNS cache ipconfig /displaydns ipconfig /flushdns # ARP table arp -a # Route table route print # Test connectivity Test-NetConnection [host] -Port [port] ping [host] ``` ### Process Management ```powershell # List all processes Get-Process tasklist # Find specific process Get-Process -Name [processname] tasklist | findstr [processname] # Kill process by name Stop-Process -Name [processname] -Force taskkill /IM [processname] /F # Kill process by PID Stop-Process -Id [PID] -Force taskkill /PID [PID] /F # Process with network connections Get-NetTCPConnection | Select-Object LocalPort,RemoteAddress,State,OwningProcess ``` ### Event Logs & Auditing ```powershell # View Security log (recent 50) Get-EventLog -LogName Security -Newest 50 # View System log Get-EventLog -LogName System -Newest 50 # Search for specific event ID Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4625} # Failed logins (Event ID 4625) Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20 # Successful logins (Event ID 4624) Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 20 # New user created (Event ID 4720) Get-WinEvent -FilterHashtable @{LogName='Security';ID=4720} # Enable auditing auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable auditpol /set /category:"Account Management" /success:enable /failure:enable ``` ### Scheduled Tasks ```powershell # List all scheduled tasks schtasks /query /fo LIST /v Get-ScheduledTask # Show specific task schtasks /query /tn [taskname] /v # Delete scheduled task schtasks /delete /tn [taskname] /f # Disable scheduled task Disable-ScheduledTask -TaskName [taskname] ``` ### Firewall ```powershell # Check firewall status netsh advfirewall show allprofiles state Get-NetFirewallProfile # Enable firewall netsh advfirewall set allprofiles state on Set-NetFirewallProfile -Enabled True # Block incoming port netsh advfirewall firewall add rule name="Block [port]" dir=in action=block protocol=tcp localport=[port] # Block IP address netsh advfirewall firewall add rule name="Block [IP]" dir=in action=block remoteip=[IP] # List firewall rules netsh advfirewall firewall show rule name=all Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True'} # Delete firewall rule netsh advfirewall firewall delete rule name="[rulename]" ``` ### Active Directory ```powershell # List domain controllers nltest /dclist:[domain] # List all AD users Get-ADUser -Filter * # List AD admins Get-ADGroupMember "Domain Admins" Get-ADGroupMember "Enterprise Admins" # Find locked accounts Search-ADAccount -LockedOut # Unlock account Unlock-ADAccount -Identity [username] # Reset AD password Set-ADAccountPassword -Identity [username] -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "[password]" -Force) # Disable AD account Disable-ADAccount -Identity [username] # Check AD replication repadmin /replsummary ``` --- ## LINUX COMMANDS ### User & Account Management ```bash # List all users cat /etc/passwd getent passwd # List users with login shells cat /etc/passwd | grep -v nologin | grep -v false # Current logged in users who w last # User details id [username] # Change password passwd [username] # Lock user account usermod -L [username] passwd -l [username] # Unlock user account usermod -U [username] passwd -u [username] # Add user to group usermod -aG [group] [username] # Remove user from group gpasswd -d [username] [group] # List groups cat /etc/group # List sudoers cat /etc/sudoers cat /etc/sudoers.d/* getent group sudo getent group wheel ``` ### Service Management ```bash # List all services systemctl list-units --type=service service --status-all # Check service status systemctl status [service] service [service] status # Start service systemctl start [service] service [service] start # Stop service systemctl stop [service] service [service] stop # Restart service systemctl restart [service] service [service] restart # Enable service on boot systemctl enable [service] # Disable service on boot systemctl disable [service] # View service logs journalctl -u [service] -f ``` ### Network Analysis ```bash # Show all connections ss -tunapl netstat -tunapl # Show listening ports ss -tlnp netstat -tlnp # Show established connections ss -tnp state established # Find process on port lsof -i :[port] ss -tlnp | grep :[port] # IP configuration ip addr ifconfig # Route table ip route route -n # DNS configuration cat /etc/resolv.conf # ARP table ip neigh arp -a # Test connectivity ping [host] nc -zv [host] [port] curl -I http://[host] ``` ### Process Management ```bash # List all processes ps aux ps -ef # Find specific process ps aux | grep [name] pgrep [name] # Process tree pstree -p # Kill process by name pkill [name] killall [name] # Kill process by PID kill [PID] kill -9 [PID] # Top processes by CPU top -bn1 | head -20 # Top processes by memory ps aux --sort=-%mem | head -10 ``` ### Log Analysis ```bash # Authentication logs tail -f /var/log/auth.log # Debian/Ubuntu tail -f /var/log/secure # RHEL/CentOS # System logs tail -f /var/log/syslog tail -f /var/log/messages # Web server logs tail -f /var/log/apache2/access.log tail -f /var/log/apache2/error.log tail -f /var/log/nginx/access.log tail -f /var/log/nginx/error.log # Search logs for pattern grep -i "failed" /var/log/auth.log grep -i "error" /var/log/syslog # Failed SSH logins grep "Failed password" /var/log/auth.log grep "Failed password" /var/log/secure # Successful SSH logins grep "Accepted" /var/log/auth.log ``` ### Cron Jobs ```bash # List current user's cron crontab -l # List all users' crons for user in $(cut -f1 -d: /etc/passwd); do echo "=== $user ==="; crontab -u $user -l 2>/dev/null; done # System cron directories ls -la /etc/cron.d/ ls -la /etc/cron.daily/ ls -la /etc/cron.hourly/ cat /etc/crontab # Edit cron crontab -e # Remove user's cron crontab -r ``` ### Firewall (iptables) ```bash # List all rules iptables -L -n -v iptables -L -n --line-numbers # Block incoming port iptables -A INPUT -p tcp --dport [port] -j DROP # Block IP address iptables -A INPUT -s [IP] -j DROP # Allow port iptables -A INPUT -p tcp --dport [port] -j ACCEPT # Delete rule by number iptables -D INPUT [number] # Save rules (Debian/Ubuntu) iptables-save > /etc/iptables/rules.v4 # Save rules (RHEL/CentOS) service iptables save ``` ### Firewall (firewalld) ```bash # Check status firewall-cmd --state systemctl status firewalld # List all rules firewall-cmd --list-all # Block port firewall-cmd --permanent --remove-port=[port]/tcp # Allow port firewall-cmd --permanent --add-port=[port]/tcp # Block IP firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="[IP]" reject' # Reload firewall firewall-cmd --reload ``` ### File & Permission Checks ```bash # Find SUID files find / -perm -4000 -type f 2>/dev/null # Find SGID files find / -perm -2000 -type f 2>/dev/null # Find world-writable files find / -perm -002 -type f 2>/dev/null # Find files modified in last 24 hours find / -mtime -1 -type f 2>/dev/null # Find files owned by root writable by others find / -user root -perm -o+w -type f 2>/dev/null # Check SSH keys ls -la ~/.ssh/ cat ~/.ssh/authorized_keys # Check for hidden files in home directories ls -la /home/*/ ls -la /root/ ``` --- ## QUICK REFERENCE CARD ### Immediate Threat Response | Task | Windows | Linux | |------|---------|-------| | Kill process | `taskkill /PID [n] /F` | `kill -9 [PID]` | | Block IP | `netsh advfirewall firewall add rule name="Block" dir=in action=block remoteip=[IP]` | `iptables -A INPUT -s [IP] -j DROP` | | Disable user | `net user [name] /active:no` | `usermod -L [name]` | | Stop service | `net stop [svc]` | `systemctl stop [svc]` | | Check connections | `netstat -ano` | `ss -tunapl` | ### Evidence Collection | Task | Windows | Linux | |------|---------|-------| | Running processes | `tasklist /v` | `ps auxf` | | Network connections | `netstat -anob` | `ss -tunapl` | | Logged in users | `query user` | `w` | | Recent logins | `wevtutil qe Security` | `last` | | Scheduled tasks | `schtasks /query` | `crontab -l` | --- _Reference by CCDC.x1000.ai - Elite Blue Team Training Platform_